Fake Movie injects malicious content into high profile sites

News by Robert Abel

A malicious Windows shortcut file disguised as a movie on The Pirate Bay torrent tracker is capable of injecting malicious content from the attacker into high-profile websites as well as for stealing cryptocurrency.

A malicious Windows shortcut file disguised as a movie on The Pirate Bay torrent tracker is capable of injecting malicious content from the attacker into high-profile websites as well as for stealing cryptocurrency.

A security researcher who goes by the twitter handle 0xffff0800 discovered the malware masquerading as a video file for the movie "The Girl in the Spider’s Web" that was actually a .LNK shortcut that executed a PowerShell command.

The researcher shared samples of the malware to Bleeping Computer’s Lawrence Abrams who further analysed samples and learned the malware is capable of poisoning Google, Wikipedia, Yandex and other high profile search sites, according to a 12 January blog post.

On Google, for example, the malware could inject malicious search result onto a user’s page so that the attacker’s promoted content appear at the top of a user’s results.

"To do this, the malware modifies registry keys to disable Windows Defender protection if Microsoft’s antivirus is enabled," researchers said in the blog. "It also forcibly installs in Firefox an extension called ‘Firefox Protection’ and hijacks the Chrome extension called ‘Chrome Media Router’, with the ID ‘pkedcjkdefgpdelpbcmbmeomcjbeemfm.’"

The malware will also try to steal cryptocurrency, in a donation scam the malware’s injection mechanism inserts a fake donation banner claiming the site now accepts cryptocurrency while displaying wallet addresses to "donate" to.

The Wikipedia scam advertised two wallets, a Bitcoin wallet which at the time of writing had US$ 70 (£54) worth of currency while the Ethereum wallet had about US$ 600 (£467) worth of cryptocurrency at the time of writing. Researchers also linked to a third wallet to the scam that wasn’t included in the Wikipedia donation scam which had US$ 13 (£10).

All three wallets are also used in a malicious scam designed to replace Bitcoin and Ethereum addresses found on web pages in an attack by pasting the attacker’s address after a user attempts to copy the intended recipient’s address.

Researchers recommend users take caution when getting movies from torrent trackers as they can easily be leveraged by threat actors to deliver threats such as this. 

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events